Dissecting malware on the network

Let's load the PCAP in Wireshark as follows:

We can see that there is a lot of HTTP data present in the PCAP file. Let's add columns to display the full URI and User-Agent entries, and also filter the requests using the http.request.uri filter as follows:

The user-agent is quite important in malware communications, since they might not be the standard user-agents used by popular browsers. We can see we have Mozilla/4.08 (Charon; Inferno) as the user-agent, and URI contains a single user, as shown in the previous screenshot. Let's investigate this user-agent on Google as shown in the following screenshot:

It seems that the HTTP requests are generated by the nefarious LokiBot, a popular malware that infiltrates data on the infected systems. Open the third link from the preceding results which is from https://packettotal.com and analyze similar samples:

We can see that there have been numerous entries with similar behavior. The important items from the preceding list are the HTTP Method and the User-Agent columns. Let's study this malware a bit more by reading https://forums.juniper.net/t5/Security/A-look-into-LokiBot-infostealer/ba-p/315265 and https://r3mrum.wordpress.com/2017/07/13/loki-bot-inside-out/. We can see that there is plenty to read on the LokiBot analysis. The takeaway for us from the previous links is that the first-byte word of the HTTP payload is the LokiBot Version. Let's see what it is by making use of  tshark –r /home/deadlist/Desktop/loki-bot_network_traffic.pcap -2 –R http.request.uri –Tfields –e ip.dst –e http.request.full_uri –e http.user_agent –e data –E separator=, | cut –c1-91 command. The command will read the PCAP file defined using the X switch and will display all packets having the URI using http.request.uri filter. The command will print comma separated values (-E separator=,) of fields like destination IP, full URI, User-Agent and Data (-Tfields).

Since the last value is of the data field, the use of cut –c1-91 will print the first two bytes (Byte Word) of the data only as shown in the following screenshot:

We can see the first-byte word is 1200, which implies 00 12(18) being divided by 10, which means that we have the LokiBot version 1.8. Have a look at the following screenshot:

We can see that, in the next word (the next two bytes), we have hexadecimal values of 27, 28, and 2b, and, according to the information that we have read, this value defines the functionality of the packet and a value 27 implies Exfiltrate Application/Credential Data, 28 implies Get C2 commands, and 2b implies Exfiltrate Keylogger Data. This means that the LokiBot has done the following activities in order:

  • Exfiltrated an application's credential data twice
  • Made the new command, which was to exfiltrate key logger data
  • Sent keylogger data

Finally, let's have a look at the data we have got so far:

  • The infected system: 172.16.0.130
  • The command and control server: 185.141.27.187
  • Malware used: LokiBot
  • Malware detection: User-Agent, HTTP Method (POST)
  • Malware activities: Application data exfiltration and keylogging

Having basic information about the malware, let's dive deep into finding more information about the exfiltrated data by understanding its patterns in the next section.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset